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(g) Method for providing user access control within a distributed data processing system by the 
exchange of access control profiles. 

(57) a method is disclosed for providing user access control for a plurality of resource objects within a 
distributed data processing system having a plurality of resource managers. A reference monitor service 
is established and a plurality of access control profiles are stored therein. Thereafter, selected access 
control profiles are exchanged between the reference monitor service and a resource manager in 
response to an attempted access (82) of a particular resource object controlled by tha L'^ U ^ 
manager. The resource manager may then control access to the resource object by utitong the 
exchanged access control profile (86-98). In a preferred embodiment of the present invenbon, each 
access control profile may include access control information relating to a selected user; a selected 
resource object; a selected group of user; a selected set of resource objects; or, a predetermined set 
of resource objects and a selected group of users. 
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METHOD FOR PROVIDING USER ACCESS CONTROL WITHIN A DISTRIBUTED DATA PROCESSING 
SYSTEM BY THE EXCHANGE OF ACCESS CONTROL PROFILES 



The present invention relates to data processing 
systems in general and in particular to improved 
methods of providing access control for a plurality of 
resource objects within a distributed data processing 
system. Still more particularly, the present invention 
relates to a system which permits the rapid and effi- 
cient interchange of access control information 
throughout a distributed data processing system. 

Security and access control systems in computer 
based data processing systems are well known in the 
prior art Existing access control systems are gener- 
ally oriented to a single host system. Such single host 
access control systems are generally utilized to pro- 
vide security for the host and access control to appli- 
cations and system resources, such as files. Each 
application must generally provide access control for 
the resources controlled by that application. 

One example of an access control system desig- 
ned for utilization with the IBM 370 system is a product 
called RACF, or Resource Assets Control Facility. 
RACF offers access control for applications, such as 
files or CICS transactions and is hierarchically orien- 
ted in access authority levels and grouping of users. 
RACF is a "password* oriented access control system 
and access is granted or denied based upon a user's 
individual identity and his or her knowledge of an 
appropriate password to verify that identity. The 
RACF system is, however, oriented to a single host 
system and cannot be employed in a distributed data 
processing system which employs multiple hosts 
associated with separate groups of resource objects, 
due to the fact that this system does not allow the 
interchange of access control Information from one 
host to another. 

Another example of known access control sys- 
tems is AS/400. The AS/400 system is a capability 
based system in which security is based upon each 
individual resource object Each user is authorized to 
access individual resource objects based upon the 
user's capability within the system. The AS/400 sys- 
tem maintains security by keeping User Profiles, 
Object Authority, and System Values within the 
architecture of the machine itself. As above, this sys- 
tem is highly efficient at controlling access to resource 
objects controlled by a single host ; however, access 
to resource objects located within a distributed data 
processing system containing multiple hosts cannot 
be controlled. That is, access to a resource object 
controlled by one host cannot be obtained by a user 
enrolled at a second host 

One other example of an access control system 
is the DB2 product This product permits a more flexi- 
ble access control and offers granular or bundled 
access control authority. For example, the DB2 sys- 



tem may utilize special authorities for administration 
or database operations. Further, access privilege may 
be bundled into a specified authority or role so that a 
user may access specific resource objects based 

5 upon the user's title or authority level f rather than the 
user's personal identity. However, as above, the DB2 
system does not possess the capability of exchanging 
access control information with non-DB2 applications. 
Therefore, it should be obvious that a need exists 

10 for a method of providing access control in a distri- 
buted data processing system whereby access to 
selected resource objects may be controlled through- 
out the distributed data processing system by means 
of the exchange of access control information 

15 throughout the system. 

It is therefore one object of the present invention 
to provide an improved data processing system. 

It is another object of the present invention to pro- 
vide an improved method of providing access control 

20 for a plurality of resource objects within a distributed 
data processing system. 

It is yet another object of the present invention to 
provide an improved method of providing access con- 
trol for a plurality of resource objects within a distri- 

25 buted data processing system which permits the rapid 
and efficient interchange of access control infor- 
mation throughout a distributed data processing sys- 
tem. 

The foregoing objects are achieved as is now 

30 described. The method of the present invention may 
be utilized to provide user access control for a plurality 
of resource objects within a distributed data proces- 
sing system having a plurality of resource managers. 
A reference monitor service is established and a 

35 plurality of access control profiles are stored therein. 
Thereafter, selected access control profiles are 
exchanged between the reference monitor service 
and a resource manager in response to an attempted 
access of a particular resource object controlled by 

40 that resource manager. The resource manager may 
then control access to the resource object by utilizing 
the exchanged access control profile. In a preferred 
embodiment of the present invention, each access 
control profile may include access control information 

45 relating to a selected user; a selected resource 
object ; a selected group of users ; a selected set of 
resource objects ; or, a predetermined set of resource 
objects and a selected list of users each authorized to 
access at least a portion of said predetermined set of 

so resource objects. 

The novel features believed characteristic of the 
invention are set forth in the appended claims. The 
invention itself however, as well as a preferred mode 
of use, further objects and advantages thereof, will 



NSDOCID: <EP 0442B38A2J_> 



EP 0 442 838 A2 



best be understood by reference to the following 
detailed description of an illustrative embodiment 
when read in conjunction with the accompanying 
drawings, wherein : 

Figure 1 depicts a pictorial representation of a dis- 
tributed data processing system which may be 
utilized to implement the method of the present 
invention ; 

Figure 2 depicts in block diagram form the access 
control system utilized with the method of the pre- 
sent invention ; 

Figure 3 is a high level flow chart depicting the 
establishment of an access control system in 
accordance with the method of the present inven- 
tion ; and 

Figure 4 is a high level flow chart depicting access 

to a resource object in accordance with the 

method of the present invention. 

With reference now to the figures, and in particu- 
lar with reference to Figure 1, there is depicted a pic- 
torial representation of a data processing system 8 
which may be utilized to implement the method of the 
present invention. As may be seen, data processing 
system 8 may include a plurality of networks, such as 
Local Area Networks (LAN) 10 and 32, each of which 
preferably includes a plurality of individual computers 
12 and 30, respectively. Of course, those skilled in the 
art will appreciate that a plurality of Interactive Work 
Stations (IWS) coupled to a host processor may be 
utilized for each such network. 

As is common in such data processing systems, 
each individual computer may be coupled to a storage 
device 14 and/or a printer/output device 16. One or 
more such storage devices 14 may be utilized, in 
accordance with the method of the present invention, 
to store applications or resource objects which may 
be periodically accessed by any user within data pro- 
cessing system 8. In a manner well known in the prior 
art, each such application or resource object stored 
within a storage device 14 is associated with a 
Resource Manager, which is responsible for maintain- 
ing and updating all resource objects associated 
therewith. 

Still referring to Figure 1 , it may be seen that data 
processing network 8 may also include multiple main 
frame computers, such as main frame computer 18, 
which may be preferably coupled to Local Area Net- 
work (LAN) 10 by means of communications link 22. 
Main frame computer 18 may also be coupled to a 
storage device 20 which may serve as remote storage 
for Local Area Network (LAN) 10 . Similariy, Local 
Area Network (LAN) 10 may be coupled via communi- 
cations link 24 through a subsystem control 
unit/communications controller 26 and communi- 
cations link 34 to a gateway server 28. Gateway ser- 
ver 28 is preferably an individual computer or 
Interactive Work Station (IWS) which serves to link 
Local Area Network (LAN) 32 to Local Area Network 



(LAN) 10. 

As discussed above with respect to Local Area 

5 Network (LAN) 32 and Local Area Network (LAN) 1 0, 
resource objects may be stored within storage device 
20 and controlled by main frame computer 18, as 
resource manager for the resource objects thus 
stored. Of course, those skilled in the art will 

10 appreciate that main frame computer 18 may be 
located a great geographic distance from Local Area 
Network (LAN) 10 and similariy Local Area Network 
(LAN) 10 may be located a substantial distance from 
Local Area Network (LAN) 32. That is, Local Area Net- 

15 work (LAN) 32 may be located in California while 
Local Area Network (LAN) 10 may be located within 
Texas and main frame computer 18 may be located 
in New York. 

In known prior art systems of this type, should the 

20 user of an individual computer 30 desire to access a 
resource object stored within storage device 20, 
associated with main frame computer 18, it wfll be 
necessary for the user of computer 30 to be enrolled 
within the security system of main frame computer 1 8. 

25 This is necessary in order for the user of computer 30 
to present the proper password to obtain access to the 
desired resource objecL Of course, those skilled in 
the art will appreciate that this technique will prove 
ungainly in distributed data processing systems, such 

30 as data processing system 8 depicted within Figure 1. 

Referring now to Figure 2, there is depicted in 
block diagram form the access control system which 
is utilized with the method of the present invention. As 
is depicted, Local Area Networks (LAN) 1 0 and 32 are 

35 illustrated by dashed lines as is main frame computer 
18. In each instance resource objects 42, 48 and 54 
are illustrated in association with each portion of dis- 
tributed data processing system 8 of Figure 1. Of 
course, each object thus illustrated will be stored 

40 within one or more storage devices associated with 
each portion of data processing system 8. As is illus- 
trated, Local Area Network 10 includes a resource 
manager 40 which may be one or more individual 
computers which are utilized to manage selected 

45 resource objects. Also established within Local Area 
Network 10 is a Reference Monitor 44. Reference 
Monitor 44, in accordance with the method of the pre- 
sent invention, is an application or service which is 
utilized to store access control profiles which may 

so include access control information relating to : selec- 
ted users ; selected resource objects ; a selected 
group of users ; a selected set of resource objects ; 
or, a predetermined set of resource objects and a 
selected list of users, each authorized to access at 

55 least a portion of said predetermined set of resource 
objects. 

Still referring to Figure 2, it may be seen that 
within Local Area Network (LAN) 33 a resource man- 
ager 46 is illustrated, which is utilized, in a manner 
well known in the art, to control access to resource 
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object 48. Similarly, a Reference Monitor 50 is 
established within Local Area Network (LAN) 32. 
Reference Monitor 50 is, as described above, prefer- 
ably utilized to store access control profiles relating to 
individual users within Local Area Network 32 as well 
as resource objects stored within Local Area Network 
32. 

Finally, main frame computer 18 is illustrated as 
including a resource manager 52 which has 
associated therewith one or more resource objects 
54. 

In accordance with an important feature of the 
present invention, any attempted access of a 
resource object, such as resource object 42, 48 or 54 
will automatically result in a query by the associated 
resource manager to one or more Reference Monitor 
applications to determine whether or not the access 
requested will be permitted. It should be noted that, in 
accordance with the depicted embodiment of the pre- 
sent invention, only one Reference Monitor appli- 
cation is required for data processing system 8 ; 
however, two are illustrated. In accordance with the 
method of the present invention, communications 
links between a single Reference Monitor application 
may be established with each and every resource 
manager within data processing system 8 (see Figure 
1 ) so that access to selected resource objects may be 
controlled in accordance with the access control infor- 
mation stored within the profiles within that Reference 
Monitor. 

In this manner, a user within Local Area Network 
(LAN) 32 may, via the communications links depicted 
within Figure 1, request access to a resource object 
54 associated with main frame computer 1 8. As will be 
explained in greater detail herein, resource manager 
52 will then query Reference Monitor 44 and/or Refer- 
ence Monitor 50 to determine whether or not a profile 
exists which permits the requested access. If so, the 
profile information is exchanged between the approp- 
riate Reference Monitor and resource manager 52 
and access to resource object 54 may be permitted. 

With reference now to Figure 3, there is depicted 
a high level flow chart illustrating the establishment of 
an access control system in accordance with the 
method of the present invention. As is illustrated, the 
process begins at block 60 and thereafter passes to 
block 62, which depicts the defining of an access con- 
trol profile for an object or group of objects, by the 
associated resource manager. Thereafter, block 64 
illustrates the storing of that profile within a Reference 
Monitor application. Next, block 66 illustrates a deter- 
mination of whether or not additional objects require 
an access control profile to be established and if so, 
the process returns to block 62 and continues there- 
after in an iterative fashion. 

In the event no additional resource objects 
require access control profiles, the process passes to 
block 68 which illustrates the establishment by an 
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associated resource manager of an access control 
profile for one or more users within the distributed 
5 data processing system. Thereafter, block 70 illus- 
trates the storing of the access control profile thus 
created in an associated Reference Monitor appli- 
cation. Block 72 next determines whether not 
additional users within the data processing system 
10 require access control profiles to be created. If so, as 
above, the process returns to block 68 to define the 
additional profiles. In the event no additional users 
require access control profiles, then the process ter- 
minates, as illustrated in block 74. Of course, those 
15 skilled in the art will appreciate that in this manner it 
will be possible to create various access control pro- 
files which contain access control information relating 
to a single resource object, a group of resource 
objects, an individual user, a group of users, or, a pre- 
20 determined set of resource objects and a selected 
group of users. 

Finally, referring to Figure 4, there is depicted a 
high level flow chart depicting access to a resource 
object in accordance with the method of the present 
25 invention. As is illustrated, the process begins at block 
80 and thereafter passes to block 82 which illustrates 
the receipt by a resource manager of an access 
request for a resource object within that resource 
manager's purview. Next, the process passes to block 
30 84 which illustrates the query of the nearest Refer- 
ence Monitor application to determine whether or not 
an access control profile exists for the resource object 
or user in question. 

Block 86 next depicts a determination of whether 
35 or not the appropriate access control profile is defined 
locally and if so, block 88 illustrates a determination 
of whether or not access to the specific resource 
object is permitted. This determination is, as those 
skilled in the art will appreciate, simply a matter of 
40 comparing the defined access control profile with the 
parameters of the resource object and the user in 
question. Thereafter, as illustrated in block 90, if the 
determination of block 88 so permits, access to the 
resource object is provided and the process termi- 
45 nates, as depicted in block 92. 

Returning to block 86, in the event an access con- 
trol profile is not defined locally, then block 94 illus- 
trates a determination of whether or not an 
appropriate access control profile is defined any- 
50 where within the system. If so, block 96 depicts the 
retrieval of that profile and the process then returns to 
block 88 for a determination of whether or not access 
to the selected resource object is permitted. Thereaf- 
ter, if access is permitted, the process passes to block 
55 90 which illustrates the accessing of the resource 
object and the subsequent termination of the process. 

In the event the access control profile required fe 
not defined anywhere within data processing system 
8, (see Figure 1) or access to the desired resource 
object is not permitted, as illustrated by the determi- 

5 



EP 0 442 838 A2 



nation within block 88, then block 98 depicts the denial 
of access to the requested resource object with an 
appropriate message to the requester. 5 

Upon reference to the foregoing, those skilled in 
the art will appreciate that by utilizing one or more 
Reference Monitor applications within a distributed 
data processing system, each containing one or more 
access control profiles relating to resource objects or 10 
users, it will be possible to control access to a plurality 
of resource objects located within various subsec- 
tions of a distributed data processing system, without 
requiring each individual user within the distributed 
data processing system 8 to enroll with each resource 
manager located at every point within the system. By 
permitting the rapid and efficient interchange of 
access control profiles containing access control 
information throughout the system, necessary access 
control decisions are made at a limited number of 
locations and the process is greatly enhanced in 
terms of efficiency. 
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Claims 

1. A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, said method comprising the 
steps of : 

storing a plurality of access control profiles 
within a reference monitor service (64) ; 

exchanging a selected access control pro- 35 
file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object 
(82) ; and 

utilizing said resource manager to control 40 
access to said particular resource object in 
accordance with said selected access control 
profile (90, 98). 



ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected set of resource objects. 

The method according to Claim 1 wherein selec- 
ted ones of said plurality of access controlprofOes 
each include access control information relating 
to a predetermined set of resource objects and a 
selected list of users each authorized to access 
at least a portion of said predetermined set of 
resource objects. 



7. A method of providing user access control for a 
plurality of resource objects within a distributed 
data processing system having a plurality of 
resource managers associated with said plurality 
of resource objects, said method comprising the 
20 steps of : 

establishing a reference monitor service 
within said distributed data processing system ; 

storing a plurality of access control profiles 
within said reference monitor service ; 
25 exchanging a selected access control pro- 

file between said reference monitor service and a 
selected resource manager in response to an 
attempted access of a particular resource object; 
and 

30 utilizing said resource manager to control 

access to said particular resource object in 
accordance with said selected access control 
profile. 



8. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected user. 

9. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected resource object 



2. The method according to Claim 1 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected user. 

3. The method according to Claim 1 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected resource object 



45 10. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profiles 
each include access control information relating 
to a selected group of users. 

so 11. The method according to Claim 7 wherein selec- 
ted ones of said plurality of access control profHes 
each include access control information relating 
to a selected set of resource objects. 



4. The method according to Claim 1 wherein selec- ss 
ted ones of said plurality of access control profiles 
each include access control information relating 

to a selected group of users. 

5. The method according to Claim 1 wherein selec- 
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(57) A method is disclosed for providing user 
access control for a plurality of resource 
objects within a distributed data processing 
system having a plurality of resource managers. 
A reference monitor service is established and a 
plurality of access control profiles are stored 
therein. Thereafter, selected access control pro- 
files are exchanged between the reference 
monitor service and a resource manager in 
response to an attempted access (82) of a par- 
ticular resource object controlled by that re- 
source manager. The resource manager may 
then control access to the resource object by 
utilizing the exchanged access control profile 
(86-98). In a preferred embodiment of the pre- 
sent invention, each access control profile may 
include access control information relating to a 
selected user ; a selected resource object ; a 
selected group of user ; a selected set of resour- 
ce objects ; or, a predetermined set of resource 
objects and a selected group of users. 
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